packages/krb5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-36054

Browse Source 
(cherry picked from commit 3f79a0898583ac0e69e17968e0f1a2304f75342c)
This commit is contained in:
liningjie 2023-08-15 12:12:15 +08:00 committed by openeuler-sync-bot
parent c0e2bf2cd1
commit 9f99da57a6
2 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
CVE-2023-36054.patch Normal file
View File

@ -0,0 +1,65 @@
From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 21 Jun 2023 10:57:39 -0400
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
key_data array count when decoding. Otherwise when the structure is
later freed, xdr_array() could iterate over the wrong number of
elements, either leaking some memory or freeing uninitialized
pointers. Reported by Robert Morris.
CVE-2023-36054:
An authenticated attacker can cause a kadmind process to crash by
freeing uninitialized pointers. Remote code execution is unlikely.
An attacker with control of a kadmin server can cause a kadmin client
to crash by freeing uninitialized pointers.
ticket: 9099 (new)
tags: pullup
target_version: 1.21-next
target_version: 1.20-next
---
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 0411c3fd3..287cae750 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
int v)
{
unsigned int n;
+ bool_t r;
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
return (FALSE);
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
return (FALSE);
}
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
+ return (FALSE);
+ }
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
return (FALSE);
}
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
return FALSE;
}
n = objp->n_key_data;
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
- &n, ~0, sizeof(krb5_key_data),
- xdr_krb5_key_data_nocontents)) {
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
+ objp->n_key_data = n;
+ if (!r) {
return (FALSE);
}
--
2.41.0.windows.3

6
krb5.spec
View File

@ -3,7 +3,7 @@
Name: krb5
Version: 1.19.2
Release: 8
Release: 9
Summary: The Kerberos network authentication protocol
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -35,6 +35,7 @@ Patch11: backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch
Patch12: backport-Fix-many-unlikely-memory-leaks.patch
Patch13: backport-Free-verto-context-later-in-KDC-cleanup.patch
Patch14: backport-Squash-unused-variable-warnings-in-kdb5_ldap_util.patch
Patch15: CVE-2023-36054.patch
BuildRequires: gettext
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -327,6 +328,9 @@ make -C src check || :
%changelog
* Tue Aug 15 2023 liningjie <liningjie@xfusion.com> - 1.19.2-9
- fix CVE-2023-36054
* Thu Jun 15 2023 xuraoqing <xuraoqing@huawei.com> - 1.19.2-8
- add version for Obsoletes and Provides of workstation